C++: Fix ql-for-ql findings.

2026-05-05 13:45:19 +02:00 · 2024-12-17 16:55:52 +00:00
parent 5ed0222b1a
commit 2cc6ffbd28
1 changed files with 21 additions and 15 deletions
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -2290,9 +2290,11 @@ private predicate controls(IRGuardCondition g, Node n, boolean edge) {
 module BarrierGuard<guardChecksSig/3 guardChecks> {
  bindingset[value, n]
  pragma[inline_late]
-  private predicate convertedExprHasValueNumber(Expr e, ValueNumber value, Node n) {
+  private predicate convertedExprHasValueNumber(ValueNumber value, Node n) {
-    e = value.getAnInstruction().getConvertedResultExpression() and
+    exists(Expr e |
-    n.asConvertedExpr() = e
+      e = value.getAnInstruction().getConvertedResultExpression() and
      n.asConvertedExpr() = e
    )
  }
  /**
@@ -2328,8 +2330,8 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
   * NOTE: If an indirect expression is tracked, use `getAnIndirectBarrierNode` instead.
   */
  Node getABarrierNode() {
-    exists(IRGuardCondition g, Expr e, ValueNumber value, boolean edge |
+    exists(IRGuardCondition g, ValueNumber value, boolean edge |
-      convertedExprHasValueNumber(e, value, result) and
+      convertedExprHasValueNumber(value, result) and
      guardChecks(g,
        pragma[only_bind_into](value.getAnInstruction().getConvertedResultExpression()), edge) and
      controls(g, result, edge)
@@ -2383,10 +2385,12 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
  bindingset[value, n]
  pragma[inline_late]
  private predicate indirectConvertedExprHasValueNumber(
-    Expr e, int indirectionIndex, ValueNumber value, Node n
+    int indirectionIndex, ValueNumber value, Node n
  ) {
-    e = value.getAnInstruction().getConvertedResultExpression() and
+    exists(Expr e |
-    n.asIndirectConvertedExpr(indirectionIndex) = e
+      e = value.getAnInstruction().getConvertedResultExpression() and
      n.asIndirectConvertedExpr(indirectionIndex) = e
    )
  }
  /**
@@ -2424,8 +2428,8 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
   * NOTE: If a non-indirect expression is tracked, use `getABarrierNode` instead.
   */
  Node getAnIndirectBarrierNode(int indirectionIndex) {
-    exists(IRGuardCondition g, Expr e, ValueNumber value, boolean edge |
+    exists(IRGuardCondition g, ValueNumber value, boolean edge |
-      indirectConvertedExprHasValueNumber(e, indirectionIndex, value, result) and
+      indirectConvertedExprHasValueNumber(indirectionIndex, value, result) and
      guardChecks(g,
        pragma[only_bind_into](value.getAnInstruction().getConvertedResultExpression()), edge) and
      controls(g, result, edge)
@@ -2466,16 +2470,18 @@ private EdgeKind getConditionalEdge(boolean branch) {
 module InstructionBarrierGuard<instructionGuardChecksSig/3 instructionGuardChecks> {
  bindingset[value, n]
  pragma[inline_late]
-  private predicate operandHasValueNumber(Operand use, ValueNumber value, Node n) {
+  private predicate operandHasValueNumber(ValueNumber value, Node n) {
-    use = value.getAnInstruction().getAUse() and
+    exists(Operand use |
-    n.asOperand() = use
+      use = value.getAnInstruction().getAUse() and
      n.asOperand() = use
    )
  }
  /** Gets a node that is safely guarded by the given guard check. */
  Node getABarrierNode() {
-    exists(IRGuardCondition g, ValueNumber value, boolean edge, Operand use |
+    exists(IRGuardCondition g, ValueNumber value, boolean edge |
      instructionGuardChecks(g, pragma[only_bind_into](value.getAnInstruction()), edge) and
-      operandHasValueNumber(use, value, result) and
+      operandHasValueNumber(value, result) and
      controls(g, result, edge)
    )
    or